Forum Discussion

PK_294685's avatar
PK_294685
Icon for Nimbostratus rankNimbostratus
Feb 23, 2017

ASM Custom Violation for ICAP Scanning

Hello Folks,

I recently started building ICAP AV Scanning configurations on F5 LTM. Looks like most of it is pretty easy to configure following some docs on support site.

But the blocker is, i'm trying to Raise a violation using iRules and ASM custom violations. Please see iRule below

when ADAPT_REQUEST_RESULT {

log local0. "ICAP response is [ADAPT::result]"

if { ! ([ADAPT::result] contains "modify") } {

set icap_blocked 1

ADAPT::result bypass

} else {

set icap_blocked 0

}

}

when ASM_REQUEST_DONE {

if { [info exists icap_blocked] && $icap_blocked == 1 } {

ASM::raise ICAP

log local0. "Raising custom ASM Violation."

set icap_blocked 0

}

}

So far, scanning the files and allowing or blocking the request is working just fine. When it comes to raising a custom violation to the user when a malicious file is uploaded, i'm not seeing any response pages i set on ASM.

Please see the procedure below:

1.Configured AV Scanning following the document(link above)

2.Created a security Policy on ASM with Blocking enforcement mode(Security->Application Security->Security Policies)

3.Created a custom violation under Security->Options->Application security -> Advanced Configuration -> Violation list->User-Defined Violations->create. See below

Now, Created a blocking response page under Security->Application Security->Blocking->Response Pages See below

Response Headers:

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Connection: close

Response Body:

Request RejectedThe requested URL was rejected. Please consult with your administrator.
Your support ID is: <%TS.request.ID()%>

After assigning iRule to the ICAP Virtual server, I uploaded a virus file from a web portal that points to ICAP Virtual IP, and its being blocked. But i'm not seeing the response page i created.

Any help is much appreciated! Thanks

I know this is too much information. Just thought it would help someone in future . I appreciate your patience 🙂

  • are any of the log lines shown?

     

    i do believe you could do this with ASM only, is there a reason you are using both the LTM part and the ASM part?

     

  • P_K's avatar
    P_K
    Icon for Altostratus rankAltostratus

    I think there is a file size restriction on the using just ASM? So using LTM ICAP for scanning and ASM for raising the violation.

     

    If the file is good, logs show "ICAP response is modify" and the file uploads. If the file is bad, logs shown below:

     

     

  • true 10mb but can be increased, how large do you want it to be?

     

    im a little lazy, so how is your virtual server setup? do you use two?

     

  • P_K's avatar
    P_K
    Icon for Altostratus rankAltostratus

    With the current setup we are able to upload 25Mb files which is fine.

     

    To your question,

     

    I have 2 virtual servers(Standard & internal). Standard has the webserver as its pool member and Internal virtual server has ICAP server as its pool.

     

  • P_K's avatar
    P_K
    Icon for Altostratus rankAltostratus

    Yes i took the iRule from above link and followed different others to configure.

     

    tmos version i'm running is v11.5 which should be good.

     

    And yes, violation is set to blocking mode.